15:01:59 RRSAgent has joined #webappsec 15:01:59 logging to http://www.w3.org/2014/06/18-webappsec-irc 15:02:08 zakim, this is 92794 15:02:08 ok, bhill2; that matches SEC_WASWG()11:00AM 15:02:32 Meeting: WebAppSec WG Teleconference, 18-Jun-2014 15:02:41 +BHill 15:02:53 +glenn 15:03:24 bhill2 has changed the topic to: http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0180.html 15:04:48 + +1.310.597.aabb 15:04:57 klee has joined #webappsec 15:04:58 tanvi has joined #webappsec 15:05:05 zakim, who is here? 15:05:05 On the phone I see +1.503.712.aaaa, [Microsoft], BHill, glenn, +1.310.597.aabb 15:05:08 On IRC I see tanvi, klee, RRSAgent, Zakim, neilm, bhill2, dveditz, wuwei, tobie, glenn, terri, timeless_, mkwst__, trackbot, wseltzer, freddyb 15:05:10 + +1.831.246.aacc 15:05:13 zakim, aabb is tanvi 15:05:13 +tanvi; got it 15:05:23 +[IPcaller] 15:05:28 Zakim, aacc is dveditz 15:05:29 +dveditz; got it 15:05:35 Chairs: bhill2, dveditz 15:05:36 zakim, IPcaller is neilm 15:05:36 +neilm; got it 15:05:38 I'm lurking on IRC only, as I have a conflicting meeting today 15:06:59 gopal has joined #webappsec 15:07:36 Scribe: Dan Veditz 15:07:39 Scribenick: devditz 15:08:59 david hall speaking... from MS works in the area of networking 15:09:03 + +1.781.262.aadd 15:09:14 Agenda: http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0180.html 15:09:29 zakim, who is here? 15:09:29 On the phone I see +1.503.712.aaaa, [Microsoft], BHill, glenn, tanvi, dveditz, neilm, +1.781.262.aadd 15:09:31 On IRC I see gopal, tanvi, klee, RRSAgent, Zakim, neilm, bhill2, dveditz, wuwei, tobie, glenn, terri, timeless_, mkwst__, trackbot, wseltzer, freddyb 15:09:35 zakim, aadd is gopal 15:09:35 +gopal; got it 15:09:47 zakim, [Microsoft] is David Walp 15:09:47 I don't understand '[Microsoft] is David Walp', bhill2 15:09:59 zakim, [Microsoft] has David Walp 15:10:00 +David, Walp; got it 15:10:17 zakim, aaaa is terri 15:10:17 +terri; got it 15:10:18 Zakim, aaaa is me 15:10:19 sorry, terri, I do not recognize a party named 'aaaa' 15:10:35 TOPIC: Minutes Approval http://www.w3.org/2011/webappsec/draft-minutes/2014-05-21-webappsec-minutes.html 15:11:05 minutes unanimously approved 15:11:06 bhill2: last call was informal due to low attendence, is there approval for the may 21 minutes? 15:11:21 bhill2: approved. agenda bashing: 15:11:42 ... any new topics not in the agenda? ... not 15:11:44 TOPIC: Review of Open Actions in the Tracker 15:11:49 http://www.w3.org/2011/webappsec/track/actions/open?sort=owner 15:11:53 ... review of option actions in tracker 15:12:32 ... Mike sends his regrets, but his items are all related to 1.2 and we can skip those 15:13:15 ... 168 should belong to me [bhill2]. I raised this on the list so marking it closed 15:13:31 ... is devd on the call? 15:13:42 ... skip the sub-resource integrity items then 15:14:01 ... still working through the redirect issues on the list 15:14:09 ... moving on to new topics 15:14:15 TOPIC: News 15:14:57 ... there's a new extended date for call for exclusions for SRI. if you/your org has IP exclusions you have until August 15 15:15:33 ... LC for UI security directives concluded last call, awaiting implementations to make further progress on that spec 15:15:49 http://www.w3.org/2014/11/TPAC/ 15:16:10 http://www.w3.org/2014/11/TPAC/ 15:16:16 ... TPAC coming up in Santa Clara, would like to have F2F meeting there. registration now open 15:16:37 ... will send a survey to the list to make sure we'll have a quorum of people interested 15:16:50 tanvi: do we know which two of the 4 days it will be? 15:17:06 bhill2: still have a chance to decide, if you have a preference please let us know 15:17:41 ... final news item, bhill hosting a "Test the web forward" even in Portland with imelven 15:17:56 ... Aug 3, focusing on CSP 15:18:07 s/even in/event in/ 15:18:40 ... would appreciate anyone coming or publicizing the date. MS will be sending some subject matter experts so there will be other things worked on as well 15:18:51 TOPIC: 'Mixed Content' draft up for review. 15:18:57 ... next topic: mixed content draft up for review 15:18:57 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0041.html 15:19:44 ... when we rechartered we talked about developing a spec to describe the nominal behavior of browsers handling mixtures of secure and insecure content 15:19:50 puhley has joined #webappsec 15:20:11 ... mkwst created a draft and is suggesting it's appropriate for this group to work on that topic 15:20:23 ... what do people think about this WG taking on this project 15:21:04 tanvi: I think the draft is in good shape, don't see why we wouldn't continue to work on it. This needs to be standardized so content developers know what to expect 15:21:32 bhill2: seems to be good interest on the part of browser vendor community in implementing this 15:21:56 david walp: we've seen the draft and hope to get feedback to the group soon 15:22:19 ACTION bhill2 to send a CfC to adopt Mixed Content Draft as a WG product 15:22:19 Created ACTION-177 - Send a cfc to adopt mixed content draft as a wg product [on Brad Hill - due 2014-06-25]. 15:22:20 bhill2: I will propose to the list that we adopt this specification as a formal part of the WG 15:22:30 TOPIC: [Bug 26061] New: Improve consistency with CSP 1.1 w.r.t. add-on/extension semantics. 15:22:36 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0136.html 15:22:47 bhill2: raised by glenn 15:23:17 -gopal 15:23:50 ... he wants to backport the CSP 1.1 text into CSP 1.0 since it's not normative text 15:25:01 dveditz: I don't want to disturb the process or risk delaying CSP 1.0 15:25:17 glenn: this is routinely done in non-normative text, will not delay the process 15:25:50 bhill2: if there are no objections I will take this as an action to get this updated 15:25:58 thanks 15:26:01 ACTION bhill2 to update CSP 1.0 extensions language for PR to match 1.1 LCWD text 15:26:02 Created ACTION-178 - Update csp 1.0 extensions language for pr to match 1.1 lcwd text [on Brad Hill - due 2014-06-25]. 15:26:13 TOPIC: [integrity] The noncanonical-src attribute 15:26:18 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0176.html 15:26:22 bhill2: next topic, noncanonical-src in SRI spec 15:27:27 bhill2: msg from opera asking why having it when you could do it with script? my thought is why make people do it in script if you can do it in declaritive form 15:27:34 bhill2: thoughts on the list 15:27:48 TOPIC: CfC to publish a LCWD of CSP 1.1 15:27:54 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0135.html 15:28:48 ... most impt item -- mkwst thinks we're close to CfC for CSP 1.1 and could handle the remaining issues in the last call period 15:29:04 ... items like blocking redirects, some polish on interaction with svg 15:29:26 ... mkwst and I joined the svg call and there's a wiki page up documenting some of that 15:29:46 ... would like to take a census of the folks on the call 15:29:55 ... any objections? 15:30:08 glenn: are there any features taht need to be identified as at risk? 15:30:24 bhill2: I think.... good point 15:31:03 glenn: if there's expectation that we're going into LC with items at risk it's usual to mark it as such as a warning 15:31:27 ... not much risk if you don't identify it -- the impt time is to do so in CR period 15:32:53 dveditz: nothing Mozilla objects to, but we don't have implementations of all of it 15:32:59 tanvi: agreed 15:33:21 RESOLVED: CSP 1.1 to LCWD 15:33:25 bhill2: any objections from anyone else? hearing no objections we are resolved to take CSP 1.1 to LCWD 15:33:41 +gopal 15:33:46 glenn: do we have an expected duration for LC? 15:33:58 bhill2: did mkwst list that on his original call? 15:34:29 ... he did not. typically we have done a one-month period in this WG. as a new member would MS need a longer period of time? 15:34:38 david walp: no, we're fine 15:35:03 glenn: < is it reasonable to accommodate ???? (didn't catch it) 15:35:26 glenn: is one month sufficient if we need to request review from other groups? 15:35:31 bhill2: typically WC has not heard a response from that group, they're not very active 15:36:27 ACTION bhill2 to investigate duration of LC for CSP 1.1 15:36:27 Created ACTION-179 - Investigate duration of lc for csp 1.1 [on Brad Hill - due 2014-06-25]. 15:37:18 dveditz: it's the beginning of summer, many people take large chunks of time off 15:37:29 TPAC target sounds good for end LC 15:37:35 bhill2: good point maybe end in August. I'll suggewst that to mike and see what he says 15:37:36 TOPIC: CORS and null 15:37:40 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0037.html 15:38:27 bhill2: anne suggested adding explicit handling for (null) in the CORS spec 15:38:55 ... unfortunately CORS is at recommendation stage, is it worth reopening that spec or do an errata, or handle it in the fetch spec? 15:39:28 ... anyone willing to take it on or should we just consider CORS superseded by fetch 15:39:39 ... not hearing much interest here, will take it back to the list 15:39:40 TOPIC: CSP sandboxing and workers 15:39:49 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0102.html 15:39:58 ... sandboxing workers also related to svg 15:40:53 ... please take a look at the table and think about how it relates to svg 15:41:17 terri: have we heard anything back from ... group? 15:41:29 s/.../svg 15:41:52 bhill2: what we should do is take a look at the wiki and make a proposal about how CSP should apply to svg in various modes (as image, style, in-line...) 15:42:02 ... and see what they say about it 15:42:17 TOPIC: Discuss SVG and CSP for the June 5 SVG teleconference 15:42:22 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0093.html 15:42:43 https://www.w3.org/wiki/SVG_Security 15:44:18 ... misc topics about referrers, redirects, whether referrers should be allowed in CSP (header vs. meta tag) 15:44:35 ISSUE should we mark referrer and reflected-xss as AT RISK in CSP 1.1 LCWD? 15:44:36 ... we should mark some of these at risk if we're in LC 15:45:28 ISSUE: should we mark referrer and reflected-xss as AT RISK in CSP 1.1 LCWD? 15:45:29 Created ISSUE-61 - Should we mark referrer and reflected-xss as at risk in csp 1.1 lcwd?. Please complete additional details at . 15:46:02 terri: are we going to review how CSP is used in manifests of web apps? 15:46:30 bhill2: we have not formally reviewed it as a group 15:47:16 ... would you expect someone from this group to review this? 15:47:40 terri: looks like it will have similar race conditions we're worrying about with the header 15:47:44 -gopal 15:48:25 bhill2: when I talked to mark about this it's not quite the same as 15:49:19 .... will add text saying it's best practice to specify the same policy in headers as in the web app manifest 15:50:10 terri: is there a reference I can link to, or do I just need to tell them "this is what it should say" 15:50:32 bhill2: for installable web apps the manifest will always be there, you should treat it as if it came from a header 15:51:00 TOPIC: CSP: Problems with referrer and reflected-xss 15:51:02 ... and then if you encounted a policy in addition you can handle it the way CSP normally does 15:51:06 http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0178.html 15:52:15 ... is it appropriate to include features like "referrer" that can be seen as WEAKENING the security of the page (in some cases) 15:52:31 ... or should we only include policies that will make the page more secure 15:53:03 ... with my hat as a web sec person (not chair) I think it's better to include as much in one place as possible 15:54:32 tanvi: Firefox has a "don't send the referrer" preference. would the UA have the flexibility to respect a pref if the CSP says to send one? 15:55:24 bhill2: I think it should be clear that the spec shouldn't override a user-setting 15:55:26 ACTION mkwst to document that user-set prefs regarding referrers override CSP-set policies 15:55:26 Created ACTION-180 - Document that user-set prefs regarding referrers override csp-set policies [on Mike West - due 2014-06-25]. 15:56:23 bhill2: doesn't sound like there's objections to including these kinds of features 15:57:09 ... would be interested in hearing MS's opinion on this. 15:57:28 david walp: that makes sense. please put it on the list and I'll find the right person to comment on it 15:58:26 tanvi: for the reflected-xss directive it's not clear the site is safer with or without it, so the objection really doesn't clearly apply to this directive anyway 15:59:12 bhill2: the xss filters aren't officially defined as part of the platform so it's a little tricky to say what this flag does because it's controlling behavior that is undefined 15:59:37 -glenn 15:59:39 ... talk to everyone in 2 wks 15:59:41 -neilm 15:59:44 -[Microsoft] 15:59:46 zakim, list attendees 15:59:46 As of this point the attendees have been +1.503.712.aaaa, BHill, glenn, +1.310.597.aabb, +1.831.246.aacc, tanvi, dveditz, neilm, +1.781.262.aadd, gopal, David, Walp, terri 15:59:49 rrsagent, draft minutes 15:59:49 I have made the request to generate http://www.w3.org/2014/06/18-webappsec-minutes.html bhill2 15:59:53 -terri 15:59:54 -dveditz 15:59:55 rrsagent, set logs public-visible 15:59:57 -tanvi 15:59:59 -BHill 16:00:01 SEC_WASWG()11:00AM has ended 16:00:01 Attendees were +1.503.712.aaaa, BHill, glenn, +1.310.597.aabb, +1.831.246.aacc, tanvi, dveditz, neilm, +1.781.262.aadd, gopal, David, Walp, terri 16:04:55 bhill2 has left #webappsec 16:05:12 puhley has left #webappsec 18:02:50 Zakim has left #webappsec 18:03:21 tanvi has left #webappsec 18:58:05 wuwei has joined #webappsec 19:57:39 wuwei has joined #webappsec 20:03:06 wwu has joined #webappsec 22:06:29 glenn_ has joined #webappsec 22:14:31 glenn has joined #webappsec 23:21:04 glenn has joined #webappsec 23:47:43 glenn_ has joined #webappsec 23:54:34 glenn has joined #webappsec